Zabbix
Zabbix
Open-source monitoring platform for infrastructure, applications, and networks.
7.4.11
- Release date
- June 02, 2026
- Security status
- 3 high-severity CVEs tracked in the last 90 days. Current version not affected.
Source
Public release notes are linked for the latest stored release.
Release history
See the latest published releases stored for this product.
| Version | Published | Notes |
|---|---|---|
| 7.4.11 | 2026-06-02 | Release Notes |
| 7.4.10 | 2026-05-06 | Release Notes |
| 7.4.9 | 2026-04-08 | Release Notes |
| 7.4.8 | 2026-03-13 | Release Notes |
Vulnerability tracking
versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.
Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.
| CVE | Severity | Published | Status | Summary |
|---|---|---|---|---|
| CVE-2026-23928 | HIGH (7.3) | 2026-05-06 | Current versionnot affected | The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0. Affected versions
Show 1 more
|
| CVE-2026-23921 | HIGH (8.7) | 2026-03-24 | Current versionnot affected | A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise. Affected versions
Show 1 more
|
| CVE-2026-23919 | HIGH (7.1) | 2026-03-24 | Current versionnot affected | For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>. Affected versions
Show 2 more
|